{ "canonical_id": "undici--CVE-2025-47279", "system_id": "undici", "display_name": "Undici", "category": "frameworks", "advisory_mode": "core", "title": "undici Denial of Service attack via bad certificate data", "summary": "### Impact\n\nApplications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. \n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/pull/4088.\n\n### Workarounds\n\nIf a webhook fails, avoid keep calling it repeatedly.\n\n### References\n\nReported as: https://github.com/nodejs/undici/issues/3895", "published_at": "2025-05-15T14:15:06Z", "updated_at": "2026-02-06T22:08:08.311705Z", "severity": "low", "cvss_score": 3.1, "exploit_status": "unknown", "source_confidence": "official", "official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3", "secondary_source_urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2025-47279", "https://github.com/nodejs/undici/issues/3895", "https://github.com/nodejs/undici/pull/4088", "https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25", "https://github.com/nodejs/undici" ], "aliases": [ "CVE-2025-47279", "GHSA-cxrh-j4jr-qwg3" ], "cve_ids": [ "CVE-2025-47279" ], "ghsa_ids": [ "GHSA-cxrh-j4jr-qwg3" ], "osv_ids": [ "GHSA-cxrh-j4jr-qwg3" ], "affected_versions": [ "introduced=0, fixed<5.29.0", "introduced=6.0.0, fixed<6.21.2", "introduced=7.0.0, fixed<7.5.0" ], "fixed_versions": [ "5.29.0", "6.21.2", "7.5.0" ], "package_name": "undici", "render_markdown": true, "case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2025-47279.md", "secure_code_topics": [ "ssrf-url-validation", "proxy-trust-boundary" ], "status": "generated", "triage_reasons": [], "metadata": { "source_names": [ "OSV Undici" ], "source_kinds": [ "osv-batch" ], "candidate_count": 1 } }